The SSL store contains the certificates of the Certification Authorities (CA) trusted by the gateway. It defines the root of trust of the gateway, and indirectly which connection it will consider as secured.

Add a CA certificate

You can add a new CA certificate to trust in the store.

Copy the certificate to the gateway at /usr/share/ca-certificates/extra/.

The certificate must be in PEM format. You can convert your certificate following this guide: https://www.sslshopper.com/ssl-converter.html.

Example: install the LE ISRG X1 certificate

sudo mkdir -p /usr/share/ca-certificates/extra
sudo wget https://letsencrypt.org/certs/isrgrootx1.pem -O /usr/share/ca-certificates/extra/isrgrootx1.crt
BASH

Reference the certificate in the CA certificate store configuration file at /etc/ca-certificates.conf.

echo 'extra/isrgrootx1.crt' | sudo tee -a /etc/ca-certificates.conf 
BASH

Content of /etc/ca-certificate.conf

# Lines starting with # will be ignored
# Lines starting with ! will remove certificate on next update
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt
[...]
mozilla/USERTrust_ECC_Certification_Authority.crt
mozilla/USERTrust_RSA_Certification_Authority.crt
mozilla/XRamp_Global_CA_Root.crt
extra/isrgrootx1.crt
BASH

Finally, update the CA certificates store with:

sudo update-ca-certificates
BASH
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

The new certificate is now installed. You may need to restart the applications using the SSL store to make them include the newly installed certificate.

Remove a CA certificate

Mark the certificate to be deleted in the CA certificate store configuration file at /etc/ca-certificates.conf (prefix the line with !).

# Lines starting with # will be ignored
# Lines starting with ! will remove certificate on next update
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt
[...]
mozilla/USERTrust_ECC_Certification_Authority.crt
mozilla/USERTrust_RSA_Certification_Authority.crt
mozilla/XRamp_Global_CA_Root.crt
!extra/isrgrootx1.crt
CODE

Update the CA certificates store with:

Update CA certificates

sudo update-ca-certificates
BASH
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

You can then cleanup by removing the certificate from /usr/share/ca-certificates/extra and the configuration entry in /etc/ca-certificates.conf

The new certificate is now installed. You may need to restart the applications using the SSL store to make them ignore the removed certificate.